kadm5.acl man page

The Kerberos kadmind(8) daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals.

The default location of the Kerberos ACL file is /var/kerberos/krb5kdc/kadm5.acl unless this is overridden by the acl_file variable in kdc.conf(5).

Specifies what operations may or may not be performed by a principal matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is upper-case, then the operation is disallowed. If the character is lower-case, then the operation is permitted.

a

[Dis]allows the addition of principals or policies

c

[Dis]allows the changing of passwords for principals

d

[Dis]allows the deletion of principals or policies

e

[Dis]allows the extraction of principal keys

i

[Dis]allows inquiries about principals or policies

l

[Dis]allows the listing of all principals or policies

m

[Dis]allows the modification of principals or policies

p

[Dis]allows the propagation of the principal database (used in incr_db_prop)

s

[Dis]allows the explicit setting of the key for a principal

x

Short for admcilsp. All privileges (except e)

*

Same as x.

NOTE:

The extract privilege is not included in the wildcard privilege; it must be explicitly assigned. This privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys like those of the kadmin/* or krbtgt/* principals. The lockdown_keys principal attribute can be used to prevent key extraction from specific principals regardless of the granted privilege.

(line 1) Any principal in the ATHENA.MIT.EDU realm with an admin instance has all administrative privileges except extracting keys.

(lines 1-3) The user joeadmin has all permissions except extracting keys with his admin instance, joeadmin/admin@ATHENA.MIT.EDU (matches line 1). He has no permissions at all with his null instance, joeadmin@ATHENA.MIT.EDU (matches line 2). His root and other non-admin, non-null instances (e.g., extra or dbadmin) have inquire permissions with any principal that has the instance root (matches line 3).

(line 4) Any root principal in ATHENA.MIT.EDU can inquire or change the password of their null instance, but not any other null instance. (Here, *1 denotes a back-reference to the component matching the first wildcard in the actor principal.)

(line 5) Any root principal in ATHENA.MIT.EDU can generate the list of principals in the database, and the list of policies in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals.

(line 6) Finally, the Service Management System principal sms@ATHENA.MIT.EDU has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours.

The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the kadm5_auth section of krb5.conf(5). The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file.

To operate without an ACL file, set the acl_file variable in kdc.conf(5) to the empty string with acl_file = "".